ClawHub

Stock Entry Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-analysis skill, but some included scripts can silently use a local Eastmoney credential and pass the broader process environment to another local data script.

Review before installing or running the helper scripts. Only use it if you are comfortable with local stock-data skills being invoked and an Eastmoney API key being read from the OpenClaw vault for some scripts. Avoid wiring it into scheduled monitoring until credential handling and threshold inconsistencies are fixed, and do not treat its buy/entry outputs as personalized financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        import subprocess
        env = {**os.environ, 'EM_API_KEY': em_api_key}
        result = subprocess.run(
            ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py',
             '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],
            capture_output=True,
Confidence
73% confidence
Finding
result = subprocess.run( ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py', '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],

Tainted flow: 'env' from os.environ.get (line 77, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        import subprocess
        env = {**os.environ, 'EM_API_KEY': em_api_key}
        result = subprocess.run(
            ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py',
             '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py', '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],

Tainted flow: 'env' from os.environ.get (line 87, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        import subprocess
        env = {**os.environ, 'EM_API_KEY': em_api_key}
        result = subprocess.run(
            ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py',
             '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],
            capture_output=True,
Confidence
84% confidence
Finding
result = subprocess.run( ['python3', '/root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py', '--query', f'{code.replace(".HK", "")}.HK EMA 均线'],

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file defines conflicting BIAS entry thresholds: earlier it states the buy signal is 5%-15%, while the sample output later checks for 0.6%-1.8%. In a financial-analysis skill, this contradiction can cause the agent to produce inconsistent or materially misleading buy recommendations depending on which section it follows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script retrieves credential material from environment or vault storage and then invokes another finance-data skill, effectively chaining privileged data access across components. That cross-skill secret use is dangerous because it couples a reporting script to sensitive credentials without clear user disclosure or isolation, making accidental secret exposure or misuse more likely.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README shows very broad natural-language invocations such as analyzing whether a stock is suitable to buy, without defining strict trigger boundaries, input constraints, or exclusions. In an agent ecosystem, this can cause accidental over-invocation, ambiguous routing, or execution on unintended user prompts, increasing the chance that the skill is called in contexts it was not meant to handle.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough to match ordinary stock-discussion requests, so the skill may activate in cases where the user did not explicitly request this methodology or a trading-style recommendation. In this context, overbroad activation is risky because it can steer generic financial conversations into prescriptive entry analysis and concrete buy/sell guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document provides specific trading thresholds, entry conditions, and exit rules that can be interpreted as actionable investment guidance, but it does not include any disclaimer that the material is informational, not personalized financial advice, and involves risk. In a skill context, users may rely on these concrete signals without understanding limitations, market regime dependence, or loss potential, increasing the chance of financial harm.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script silently reads a credential file from a vault path to obtain an API key for downstream use. In this skill context, accessing stored secrets without explicit user disclosure or least-privilege controls increases the risk of unauthorized secret use and makes the skill more dangerous because it bridges analysis logic with sensitive credentials.

Missing User Warnings

Medium
Confidence
69% confidence
Finding
The script silently reads a credential file from a fixed path without clear disclosure to the caller, which can violate principle-of-least-surprise and cause unauthorized secret use in shared agent environments. In a skill ecosystem, hidden credential access is more sensitive because users may not expect local secret material to be consumed automatically.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code reads an API credential from the environment or a vault file and forwards it to a subprocess, increasing the attack surface for secret exposure. If the downstream script is compromised, verbose, or accessible to less-trusted code, the key can be leaked through process environment inspection, logs, exceptions, or secondary command execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code silently reads a sensitive credential file from the vault when an environment variable is absent, without any user-facing notice, consent, or audit-oriented guardrails. In an agent skill context, undisclosed access to vault secrets is a real security concern because users may not expect a stock analysis report to consume privileged credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal